Learning Library

← Back to Library

Attack Surface Management Explained

5m • Unknown Channel • security • deep-dive • intermediate • Watch on YouTube ↗

Key Points

An organization’s attack surface is the complete set of potential entry points for attackers, ranging from web login forms and misconfigured cloud buckets to legacy systems and third‑party supply‑chain applications.
Attack Surface Management (ASM) aims to shrink that surface by continuously mapping an organization’s digital footprint from an “outside‑in” perspective, much like a red‑team attacker would use tools such as Kali Linux to discover and catalog exposed assets.
ASM solutions automatically identify hidden or “shadow IT” resources—unowned cloud services, outdated servers, and other forgotten assets—giving security teams visibility into the parts of the estate they might otherwise miss.
With this heightened awareness, organizations can prioritize and remediate vulnerabilities more effectively, integrating ASM into broader vulnerability‑management practices to reduce overall risk and make the organization a smaller, easier‑to‑protect target.

Sections

Full Transcript

# Attack Surface Management Explained **Source:** [https://www.youtube.com/watch?v=NqKid53v5x8](https://www.youtube.com/watch?v=NqKid53v5x8) **Duration:** 00:05:10 ## Summary - An organization’s attack surface is the complete set of potential entry points for attackers, ranging from web login forms and misconfigured cloud buckets to legacy systems and third‑party supply‑chain applications. - Attack Surface Management (ASM) aims to shrink that surface by continuously mapping an organization’s digital footprint from an “outside‑in” perspective, much like a red‑team attacker would use tools such as Kali Linux to discover and catalog exposed assets. - ASM solutions automatically identify hidden or “shadow IT” resources—unowned cloud services, outdated servers, and other forgotten assets—giving security teams visibility into the parts of the estate they might otherwise miss. - With this heightened awareness, organizations can prioritize and remediate vulnerabilities more effectively, integrating ASM into broader vulnerability‑management practices to reduce overall risk and make the organization a smaller, easier‑to‑protect target. ## Sections - [00:00:00](https://www.youtube.com/watch?v=NqKid53v5x8&t=0s) **What Is Attack Surface Management?** - Sam Hector explains that Attack Surface Management involves identifying and reducing all potential entry points—like web logins, misconfigured cloud buckets, outdated servers, and partner systems—to shrink an organization’s overall exposure and improve security. - [00:03:07](https://www.youtube.com/watch?v=NqKid53v5x8&t=187s) **Iterative Attack Surface Management** - It outlines a four‑step, outside‑in ASM workflow—discovering unknown assets, gaining deep insight, prioritizing remediation, and continuously testing effectiveness—using cloud‑delivered tools like Randori to move assets from “unknown and exposed” to “known and unexposed” and thereby reduce risk. ## Full Transcript

0:00ASM, or Attack Surface Management, 0:03is a relatively new entrant in the cybersecurity defensive arsenal, 0:08which is leapt up the list of priorities for security teams. 0:11But what is it, and why should you be considering it? 0:15I'm Sam Hector from IBM Security, 0:17and before we talk about ASM, let's first define what an attack surface is. 0:23An organization's attack surface is the sum total of all potential routes an attacker 0:28could attempt to use as a point of initial entry. 0:31For example, an attack surface could be comprised of a log-in web form an attacker could attempt to brute force, 0:37a misconfigured cloud bucket that's open to public access, 0:41an unpatched Java application running on a dusty server you thought was decommissioned years ago, 0:46and even systems in your partner supply chain, like an invoicing and accounting system that has access to your network. 0:53These, plus every other potential point of entry exposed to an attacker, 0:58go into forming the total Attack Surface of an organization 1:02and in simplistic terms, shrinking the size of that attack surface reduces an organization's vulnerability to attack, 1:10and the smaller the target, the easier it is to protect. 1:14Organization's attack surfaces vary massively, 1:17from brick and mortar small businesses that have very little digital infrastructure, 1:21all the way to global energy and telecommunications companies 1:25with thousands, if not millions, of IoT devices and sensors monitoring every aspect of their supply chain. 1:34So now we understand what an attack surface is, let's look at what Attack Surface Management does. 1:40For now, let's switch sides to the red team 1:43and look at how an attacker would understand an organization's attack surface. 1:47Typically, they'd use an open source tool like Kali Linux to go away and crawl a company's online presence. 1:54Or, in other words, use a computer to try the handle on every possible door, 2:00one by one, until they find all of them. 2:04Once that attack surface has been mapped, 2:06typically they would then attempt to understand more about what software is running 2:10that may be out of date and vulnerable to known attacks 2:14that they could then use to try and force the door open and gain entry to your organization. 2:20So now we're back on the blue team. 2:22How can we use this knowledge to better defend ourselves? 2:26Well, many businesses are deploying Attack Surface Management solutions 2:30to help them take an outside-in view on their security posture. 2:35Because ASM Solutions scan your digital presence much like an attacker would, 2:40often exposing those shadow IT resources we spoke about earlier - 2:45like cloud services without an owner, and old servers running unpatched software. 2:51This Venn diagram is all about awareness. 2:54There will always be vulnerabilities and zero-day attacks that a business needs to address, 3:00but they're only able to do that on the subsection of the IT estate that they're actively tracking and aware of. 3:08Through robust vulnerability management practices, 3:11businesses should always seek to minimize the number of systems they know about which are exposed to attack - 3:18this "known and exposed" section in the middle. 3:22By giving businesses an outside-in view on their attack surface, 3:26ASM helps move items from the most risky, "unknown and exposed" category 3:32over to the "known and exposed" category, 3:35and then prioritize in what order to move those over to the "known and unexposed" category. 3:41Or, in other words, it helps them take the fastest path to reduce their risk 3:45by discovering unknown assets, then patching the systems which are at most risk first. 3:52The best ASM systems, like IBM's acquisition Randori, 3:57will be able to deliver this entirely from the cloud without any software to deploy, 4:02and build an ethos of cyclical and ongoing improvement into the workflow, 4:07much like sparring with an attacker, to improve and validate defenses on an iterative basis. 4:14This is typically a four step process: 4:17Firstly, discovering unknown attack surfaces. 4:20Secondly, gaining insight and a deep understanding of them, finding out what that tool is actually doing. 4:27Then prioritizing which of these targets are most tempting to attackers and iteratively improving the risk posture. 4:34And finally, testing to validate the effectiveness of your actions. 4:39Throughout this, Randori is continuously providing our clients an attackers point of view, 4:45with our dedicated team of white hat hackers that help our clients understand which are their most tempting targets. 4:52To show a report for your company, all we need is your email address and your permission. 4:58So to get one, click on the link in the description and get involved in the conversation in the comments below. 5:05Check out our other cybersecurity videos and subscribe to see more in the future.